"Update on March 12, 2012: To assist victims affected by the DNSChanger malicious software, the FBI obtained a court order authorizing the Internet Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. This solution is temporary, providing additional time for victims to clean affected computers and restore their normal DNS settings. The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time."

On 04/26/2012 11:44 AM, Andrew Latham wrote: > On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart<jeroen [at] mompl> wrote: >> Excuse the horrible subject :-) >> >> Anyone have anything insightful to say about it? Is it just lots of fuss >> about nothing or is it an actual substantial problem? >> >> http://www.fbi.gov/news/stories/2011/november/malware_110911>> >> "Update on March 12, 2012: To assist victims affected by the DNSChanger >> malicious software, the FBI obtained a court order authorizing the Internet >> Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. >> This solution is temporary, providing additional time for victims to clean >> affected computers and restore their normal DNS settings. The clean DNS >> servers will be turned off on July 9, 2012, and computers still impacted by >> DNSChanger may lose Internet connectivity at that time." >> >> -- >> Earthquake Magnitude: 5.5 >> Date: Thursday, April 26, 2012 19:21:45 UTC >> Location: off the west coast of northern Sumatra >> Latitude: 2.6946; Longitude: 94.5307 >> Depth: 26.00 km >> > Yes its a major problem for the users unknowingly infected. To them > it will look like their Internet connection is down. Expect ISPs to > field lots of support calls. > Based on conversations on this list a month or so ago, ISPs were contacted with details of which of their IPs had compromised boxes behind them, but it seems the consensus is that ISP were going to just wait for users to phone support when it broke rather than be proactive about it.

Yes its a major problem for the users unknowingly infected. To them it will look like their Internet connection is down. Expect ISPs to field lots of support s

Is there a list of these temporary servers so I can see what customers are using them (indicating infection) and head off a support call with some contact?

-- Leigh

______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com______________________________________________________________________

I suggest you reach out to Shadowserver or Team Cymru if you're a netblock owner. They can provide daily reports of infected IPs.

Andy

Andrew Fried andrew.fried [at] gmail

On 4/26/12 5:50 PM, Leigh Porter wrote: > > On 26 Apr 2012, at 22:47, "Andrew Latham" <lathama [at] gmail<mailto:lathama [at] gmail>> wrote: > > On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart <jeroen [at] mompl<mailto:jeroen [at] mompl>> wrote: > > Yes its a major problem for the users unknowingly infected. To them > it will look like their Internet connection is down. Expect ISPs to > field lots of support s > > Is there a list of these temporary servers so I can see what customers are using them (indicating infection) and head off a support call with some contact? > > -- > Leigh > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com> ______________________________________________________________________

> > On 26 Apr 2012, at 22:47, "Andrew Latham" <lathama [at] gmail<mailto: > lathama [at] gmail>> wrote: > > On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart <jeroen [at] mompl<mailto: > jeroen [at] mompl>> wrote: > > Yes its a major problem for the users unknowingly infected. To them > it will look like their Internet connection is down. Expect ISPs to > field lots of support s > > Is there a list of these temporary servers so I can see what customers are > using them (indicating infection) and head off a support call with some > contact? > > -- > Leigh > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com> ______________________________________________________________________ >

The good folks at Shadowserver has been giving us a feed of IPs that are hitting those DNS server since November and last month we got the last of the customers cleaned up. Not all ISPs are non-proactive.

On 04/26/2012 11:44 AM, Andrew Latham wrote: > On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart<jeroen [at] mompl> wrote: >> Excuse the horrible subject :-) >> >> Anyone have anything insightful to say about it? Is it just lots of fuss >> about nothing or is it an actual substantial problem? >> >> http://www.fbi.gov/news/stories/2011/november/malware_110911>> >> "Update on March 12, 2012: To assist victims affected by the DNSChanger >> malicious software, the FBI obtained a court order authorizing the Internet >> Systems Consortium (ISC) to deploy and maintain temporary clean DNS servers. >> This solution is temporary, providing additional time for victims to clean >> affected computers and restore their normal DNS settings. The clean DNS >> servers will be turned off on July 9, 2012, and computers still impacted by >> DNSChanger may lose Internet connectivity at that time." >> >> -- >> Earthquake Magnitude: 5.5 >> Date: Thursday, April 26, 2012 19:21:45 UTC >> Location: off the west coast of northern Sumatra >> Latitude: 2.6946; Longitude: 94.5307 >> Depth: 26.00 km >> > Yes its a major problem for the users unknowingly infected. To them > it will look like their Internet connection is down. Expect ISPs to > field lots of support calls. > Based on conversations on this list a month or so ago, ISPs were contacted with details of which of their IPs had compromised boxes behind them, but it seems the consensus is that ISP were going to just wait for users to phone support when it broke rather than be proactive about it.

On 04/26/2012 05:00 PM, Andrew Latham wrote: > On Thu, Apr 26, 2012 at 5:57 PM, Kyle Creyts<kyle.creyts [at] gmail> wrote: >> http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf>> >> On Apr 26, 2012 5:48 PM, "Leigh Porter"<leigh.porter [at] ukbroadband> >> wrote: >>> >>> On 26 Apr 2012, at 22:47, "Andrew Latham" >>> <lathama [at] gmail<mailto:lathama [at] gmail>> wrote: >>> >>> >>> On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart >>> <jeroen [at] mompl<mailto:jeroen [at] mompl>> wrote: >>> >>> Yes its a major problem for the users unknowingly infected. To them >>> it will look like their Internet connection is down. Expect ISPs to >>> field lots of support s >>> >>> Is there a list of these temporary servers so I can see what customers are >>> using them (indicating infection) and head off a support call with some >>> contact? >>> >>> -- >>> Leigh > 85.255.112.0 through 85.255.127.255 > 67.210.0.0 through 67.210.15.255 > 93.188.160.0 through 93.188.167.255 > 77.67.83.0 through 77.67.83.255 > 213.109.64.0 through 213.109.79.255 > 64.28.176.0 through 64.28.191.255 > Or for those that don't want to do the math, here they are in CIDR notation

It looks like the practical upshot is that computers that have been infected and not yet fixed may loose the ability to resolve names into IP addresses starting sometime after July 9, which is when the replacement nameservers are supposed to be stopped.

That in and of itself is quite a nuisance for the individual as well as the ISP helldesks but it could have been worse. I would certainly not call it "Internet doomsday".

If the user is stupid enough to be infected for that long I think it's a good thing they get cut off from the net , should be a policy of all ISPs , If your infected then you lose privilege to get online and thus you can't scan and infect other idiots or become a ddos tool for the script kiddies. I for one say turn em off!!!!

> O'Reirdan, Michael wrote: >> Please look at www.dcwg.org > > Thanks all for the information. > > It looks like the practical upshot is that computers that have been infected and not yet fixed may loose the ability to resolve names into IP addresses starting sometime after July 9, which is when the replacement nameservers are supposed to be stopped. > > That in and of itself is quite a nuisance for the individual as well as the ISP helldesks but it could have been worse. I would certainly not call it "Internet doomsday". > > Greetings, > Jeroen > > -- > Earthquake Magnitude: 4.9 > Date: Friday, April 27, 2012 21:51:23 UTC > Location: Prince Edward Islands region > Latitude: -41.1063; Longitude: 43.4278 > Depth: 10.00 km >

On Fri, Apr 27, 2012 at 5:35 PM, Ameen Pishdadi <apishdadi [at] gmail> wrote: > If the user is stupid enough to be infected for that long I think it's a good thing they get cut off from the net , should be a policy of all ISPs , If your infected then you lose privilege to get online and thus you can't scan and infect other idiots or become a ddos tool for the script kiddies. I for one say turn em off!!!! > > Thanks, > Ameen Pishdadi

Nope there dead unfortunately but if they were alive I'd clean up there machines maybe give them chrome books something idiot proof

Thanks, Ameen Pishdadi

On Apr 27, 2012, at 8:15 PM, ryanL <ryan.landry [at] gmail> wrote:

> On Fri, Apr 27, 2012 at 5:35 PM, Ameen Pishdadi <apishdadi [at] gmail> wrote: >> If the user is stupid enough to be infected for that long I think it's a good thing they get cut off from the net , should be a policy of all ISPs , If your infected then you lose privilege to get online and thus you can't scan and infect other idiots or become a ddos tool for the script kiddies. I for one say turn em off!!!! >> >> Thanks, >> Ameen Pishdadi > > you're obviously lucky, and don't have "stupid" grandparents.

On Fri, 27 Apr 2012 19:35:51 -0500, Ameen Pishdadi said: > If the user is stupid enough to be infected for that long

And they'd know they were infected, how, exactly? (Think carefully before answering that, and keep in mind that although *you* may be the world's greatest IT specialist, the average Joe Sixpack wants to surf the web and read his e-mail, and does *not* understand (or even *want* to) very much about computer security).

At some point in like 10 years when all the computer illiterate people are gone there will be no more excuses for not being educated on malware and viruses. While I understand the ISP doesn't want to possibly cut into there profit margins they could easily put in place monitoring tools that can detect network traffic that is malware bound and reach out to the customer by email, phone and if need be by person.

How much of tax payer money is spent to pay these FEDERAL (F.B.I.) agents to sit here and baby sit these computer ignorant and illiterate people for 6 months? So for the big ISPs like comcast i should pay out of my tax money because they cannot properly enforce a network policy that would require them to actually give a crap what is coming out of there network?

There is always going to be viruses and malware, they will find ways to get them through but for heavens sake why would we if identified leave millions of compromised machines online with an attempt to do a cleanup? YOU as a network operator have a responsiblity to the other 40,000 AUTONOMOUS network to make sure your not polluting our private network infrastructure with garbage coming from your users and network. Clean up your mess.

Like we will not tolerate spammers being housed on 'hosting' networks why should tolerate malware and infections coming from ISP's??? How much money is spent cleaning up hacked word press servers and udp.pl scripts...

This is much bigger issue then at any cost making sure a user can get on to facebook to upload a picture of there cat sleeping upside down. If we enforced a proper policy and held network activity to certain standards the ISP's would fix the issue of ignorant users themselves by #1 educating there users , #2 implementing network monitoring on there outbound traffic to identify sources of infected and compromised machines, #3 implementing a cleanup policy, #4 letting the end user know they have a responsibility to make sure the machines they access the network from are clean and to do checks and to do there antivirus updates and os updates.

Oh yah, and if we got all these 'supporting' DNS servers up why not just direct ALL users of it, who are clearly infected to a temporary page that will enlighten the customer that they are infected and give them instructions on clean up and give them a deadline of when there service will stop......... How hard is that?

On Fri, Apr 27, 2012 at 10:55 PM, <Valdis.Kletnieks [at] vt> wrote:

> On Fri, 27 Apr 2012 21:39:20 -0500, you said: > > > Is it not detected by the common anti-virus software vendors? If the > > This assumes that the computer hasn't been hit by something *else* that > disables the user's AV software. Remember, multiple infections are > *common*. > > > internet stopped working on my computer i would reach out to someone who > > knew how to fix it, keeping these people online and spreading the malware > > helps how?? > > The point is that the internet *didn't* stop working, so they have no > reason to > reach out yet. > > And no, you can't just blindly cut the users off and make them call the > ISP for > several reasons: > > 1) At that point, the ISP incurs an expense to fix a problem they didn't > cause. > Remember that margins on most consumer-grade Internet accounts are pretty > thin, > and one long support call can wipe out the profit. So explain why the ISP > wants to cut off a user who makes them $10/year profit, and spend $30 or > more > handling the support call, when they aren't in the business of providing > security services to end users? > > 2) If the user has no POTS, cutting them off may have just cut off their > 911 > service. You want to take that risk? > > 3) Many times, there are multiple customer computers behind a NAT. Do you > really want the hassle of an irate user calling in because you just broke > the > dad's VPN to work, because one of their kids has some cruft on their > computer? > (And no, don't try to tell them they should have bought business class > service > or similar crap, that *will* lose you a customer). > > So explain why the ISP wants to cut off the user, when it will cost them > money, and possibly a customer? >

> On Fri, 27 Apr 2012 21:39:20 -0500, you said: > > > 3) Many times, there are multiple customer computers behind a NAT. Do you > really want the hassle of an irate user calling in because you just broke > the > dad's VPN to work, because one of their kids has some cruft on their > computer? > (And no, don't try to tell them they should have bought business class > service > or similar crap, that *will* lose you a customer). > > > The malware isn't infecting the end-uses router therefore if there is multiple users behind that NAT'd router as long as there not infected they won't be shut off when those DNS servers go dark.

And if daddy is dumb enough to let his 8 year old son use his PC or laptop w/o proper monitoring and gets infected thats his fault. I know I dont let my 10 year old use my work computers , and he knows how to code , but he is still a child and clicks stupid things.

Your basically telling me the ISPs should not take any responsibility, well then how can we get pissed off when a host lets a spammer spam for a week straight and is aware and doesn't shut them off, or notices a DDOS attack is stemming from there network, a customer has 5-6 servers he pays for with unmetered gigabit ports and is clearly blasting someone to hell and back with spoofed packets , but because there margins are so thin they shouldn't turn him off and cancel him so they do not have to cut into there 'margins'...

In the network world your either on the content side or the eyeball side, and the eyeball networks seem to have double standards when it comes to network abuse. Until this ends and the double standards stop the amount of malware and attacks will never go decrease.

I say to your 'it costs the isp money' to do cleanup, that it costs content providers money to do cleanup of constantly being scanned and probed and hacked by what is mostly hacked end-user machines who got owned browsing the internet because they went to a website that had a virus installed by another end-users machine who was compromised the same way, its a vicious circle and as an operator of a content provider im tired of the other half of the internet not taking there share of the responsibility.

> And what about the millions of users unknowingly infected with > "something else" ??

You have to start somewhere. I received a warning letter, and four or five very organizations had to cooperate in new ways to make this happen. This is certainly a welcome development, and hopefully, this experience can be used for other mitigation efforts.

On Thu, Apr 26, 2012 at 10:03:44PM -0400, Jeff Kell wrote: > And what about the millions of users unknowingly infected with > "something else" ??

s/millions/hundreds of millions/

We passed the 100M zombie/bot mark years ago and nothing has happened in the interim that should/would cause the trend to reverse. (Based on what I've seen, the curve continues to monotonically increase.) Worse, even the most sophisticated measurement techniques we have are guaranteed to miss some unknown/unknowable fraction of the total population, since botmasters are known to keep reserves. And worse yet, we're now seeing infestations of portable devices/phones, systems running MacOS, etc., so while it's been, to this point, a Windows problem to about five to seven 9's, it's not anymore, and it's not going to be.

> Does anyone have a plan?

No. Well, that's a bit unfair: lots of people have ideas, proposals, and such, but until/unless there's a massive, coordinated, focused effort -- which will cost a LOT of money -- those ideas and proposals can have (at best) temporary, localized effects. I would like to think that the software vendors whose products are involved would step up, but if that was going to happen, it probably would have happened by now.

The most likely outcomes are: (1) that the status quo will continue: massive amounts of attention, effort, and money will be focused on mitigating the consequences (e.g., anti-spam, anti-phish, anti-DDoS, anti-malware, anti-anti-anti defenses) and almost none will be focused on addressing the root causes. (2) Those running networks which are infested on a systemic and chronic basis will continue to do so and will not be held accountable (by anyone) for their incompetence. (3) More sophisticated bot-creating software will be developed and thoroughly tested against anti-malware products before being deployed. (4) Botnet command and control mechanisms will become more resilient in the face of attacks. (5) Every now and then, some vendor and/or some government agency will have a press conference and engage in self-congratulatory chest-beating about how they've taken down a 5-million member botnet, while botmasters are busy recruiting all 5 million still-compromised systems into new botnets. (6) Once in a while, some poor unsuspecting person sitting in front of one of these systems will be stuck holding the bag when clueless prosecutors, assisted by thoroughly ignorant judges and stunningly inept "experts", decide to score some election-year points by destroying an innocent person's life: see "Julie Amero" for a canonical example. (7) Data harvested from all these systems will continue to be collated and sold to spammers, phishers, identity thieves, blackmailers, and anyone else with a passing interest in the usable contents of large numbers of systems. (8) Legislators and politicians who cannot even use computers will propose and likely pass bill after bill after bill which not only makes the situation worse, but uses it as an excuse to destroy the few remaining protections that citizens have against wholesale government snooping into their private lives. As a bonus, they'll ensure that much of this information is passed along to any private contractors who've made sufficient campaign contributions, and they in turn will be hacked by the first bored 17-year-old with an attitude that takes note of their existence.

Oh. Almost forgot. At each step, the favorite phrases of people who've failed to learn from history, failed to heed warnings, failed to educate themselves, failed to listen to experts and now wish to distance themselves as far as they possibly can from the direct consequences of their own choices and actions will be used:

>Based on conversations on this list a month or so ago, ISPs were >contacted with details of which of their IPs had compromised boxes >behind them, but it seems the consensus is that ISP were going to just >wait for users to phone support when it broke rather than be proactive >about it.

I doubt most big ISPs would be so reactive (those calls cost real money after all, and customer satisfaction suffers), but I guess you never know. At Comcast we have done the following: - Sent emails - Send postal mail - Left voicemail - Used automated outbound calling - Used increasingly persistent web browser notifications

We've measured the effectiveness of some of these notification methods, which we'd not employed previously in our Constant Guard bot notification program. We're considering writing up a paper about this after the July date passes.

>And what about the millions of users unknowingly infected with >"something else" ?? > >(We have enough trouble isolating/remediating issues among our >relatively small user base, I'd hate to be facing a major ISP size >support/remediation effort...) > >Does anyone have a plan?

Well, there's the new botnet code of conduct think (Mike O'Reirdan can chime in with more info here). Plus ISPs like the one I work at (Comcast) have been doing bot notification and remediation for some time now. I know other ISPs have different approaches, and so different bot programs, but the majority of them are doing something (with a few exceptions).

On Tue, May 1, 2012 at 8:26 AM, Livingood, Jason <Jason_Livingood [at] cable> wrote: > On 4/26/12 10:03 PM, "Jeff Kell" <jeff-kell [at] utc> wrote: > >>And what about the millions of users unknowingly infected with >>"something else" ?? >> >>(We have enough trouble isolating/remediating issues among our >>relatively small user base, I'd hate to be facing a major ISP size >>support/remediation effort...) >> >>Does anyone have a plan? > > Well, there's the new botnet code of conduct think (Mike O'Reirdan can > chime in with more info here). Plus ISPs like the one I work at (Comcast) > have been doing bot notification and remediation for some time now. I know > other ISPs have different approaches, and so different bot programs, but > the majority of them are doing something (with a few exceptions). > > Jason > >

This is a reply to you, but it's intended to be directed at everyone who runs a consumer network, since zombies are everywhere.

Why haven't you cut these obviously-infected systems off entirely? They no longer belong to their putative owners in any meaningful sense: oh, they might be in their homes, sitting on their desktops, but they're owned, operationally, by parties unknown -- botmasters and anyone that they're renting them out to. The only use your customers are making of them is that which they are *permitted* to do by the largesse of their new owners, who of course find it convenient to maintain the illusion because it encourages the former owners to keep them switched on and plugged into your network.

(And given that your customer is not using their own system any more, there's no reason to believe that its new owners will permit them to see any email you send or any web browser notifications you emit. I'm sure if these become prevalent, not just at Comcast but among other major ISPs, the botmasters will pay someone to do the coding necessary to suppress them, and then propagate that code to all their bots.)

This isn't to say that what you're doing isn't well-intentioned: it is. And it's a lot more than many others are doing. But if it was going to work, it would have worked by now.